SFC Mandates Phishing-Resistant Authentication Methods: Analysis of the Global Impact for the Retail Trading Industry

Hong Kong's Securities and Futures Commission (SFC) has ordered licensed brokers and crypto platforms to replace SMS- and email-based OTPs with phishing-resistant authentication methods such as Passkeys or secure device binding, giving most firms 12 months to comply.

sylwester.m@financemagnates.com
SFC Mandates Phishing-Resistant Authentication Methods: Analysis of the Global Impact for the Retail Trading Industry

Introduction

Recently, the Hong Kong Securities and Futures Commission (SFC) issued new regulatory directives, requiring significant upgrades to customer authentication systems. The measures require all licensed internet brokers and Virtual Asset Trading Platform (VATP) operators to stop using One-Time Passwords (OTPs) delivered via SMS or email for customer login and device binding.

Instead, regulated firms must adopt phishing-resistant authentication methods, specifically Passkeys based on the FIDO2/WebAuthn standards or secure hardware-based device binding. The SFC has given most firms 12 months to implement the new requirements, while large internet brokers are expected to adopt these solutions immediately.


What is FIDO2/WebAuthn standard?

E

Explanation:

"Passkeys based on the FIDO2/WebAuthn standard utilize asymmetric public-key cryptography, where a private key remains securely isolated within the user's hardware device and is never transmitted over the network. Authentication is unlocked locally via biometrics or a device PIN, and because the cryptographic token is strictly and intrinsically bound to the broker's legitimate domain name, it cannot be intercepted or used by malicious proxy websites, making it mathematically immune to phishing attacks."

Technical Threat: Adversary-in-the-Middle (AiTM) Phishing

The new requirements are a direct response to the rapid rise in multi-factor authentication (MFA) bypass attacks observed during 2025 and early 2026. According to the Hong Kong Cyber Security Incident Response Centre (HKCERT), phishing accounted for 57% of all reported cybersecurity incidents in 2025.

One of the most common attack methods is known as Adversary-in-the-Middle (AiTM) phishing. The process typically follows these steps:

  1. Malicious reverse proxy: Attackers launch phishing campaigns via SMS or email, using look-alike websites and social engineering techniques to impersonate legitimate financial institutions or regulators.
  2. Real-time credential relay: When a client enters their login credentials on the fake website, the reverse proxy immediately forwards them to the legitimate broker's platform.
  3. MFA interception: The broker sends a standard SMS or email OTP to the client. The client enters the code on the fake website, allowing the attacker to intercept the authenticated session in real time and gain unauthorized access to the account.

The core weakness is that traditional OTPs are not linked to the legitimate website or device. As a result, they cannot verify that a user is interacting with the genuine platform. The SFC therefore concluded that SMS- and email-based OTPs no longer provide an adequate level of protection for client accounts.


Jurisdictional Scope

The new requirements apply to intermediaries licensed under Hong Kong's Securities and Futures Ordinance (SFO) and cover two main categories:

Licensed Internet Brokers: Firms providing online trading services under regulated activities including:

  • Type 1 (Dealing in Securities),
  • Type 2 (Dealing in Futures Contracts),
  • Type 3 (Leveraged Foreign Exchange Trading), and
  • Type 9 (Asset Management).

Virtual Asset Trading Platforms (VATPs): SFC-licensed operators providing trading and custody services for digital assets.



Executive Accountability

The SFC has also introduced a clear accountability framework for senior management and boards of directors. The regulator explicitly states that ultimate responsibility for effective internal controls rests with executive leadership. If clients suffer losses due to inadequate authentication controls, the SFC may take enforcement action against the firm and hold senior management directly accountable.

The new framework also marks a broader shift away from shared-secret authentication toward asymmetric cryptography. To support this transition, the SFC has defined four core pillars of operational compliance: Prevention, Detection, Response, and Education.

Phishing-Resistant Prevention (Cryptographic Protocols)
Brokers are directed to integrate authentication solutions that evaluate the underlying domain of the request, rendering credential harvesting mathematically unviable.
·Passkeys (FIDO2/WebAuthn Standards): Passkeys use public-key cryptography, with the private key securely stored on the user's device and protected by biometric authentication or a device PIN. The private key never leaves the device or is transmitted over the network. Because each cryptographic signature is tied to the legitimate website where the passkey was created, it cannot be intercepted or reused through an AiTM phishing attack.
·Cryptographic Device Binding: Firms must securely register the cryptographic identity of a client's mobile or desktop device within their authentication systems. This provides the possession factor required for multi-factor authentication without relying on temporary SMS or email codes that can be intercepted by attackers.

Surveillance, Monitoring, and Incident Escalation

Beyond strengthening authentication, firms must also implement continuous monitoring to detect suspicious activity after users have logged in. Automated systems should monitor behavioural patterns, identify unusual login activity, detect simultaneous logins from different locations, and flag unusually large or rapid requests to withdraw funds or digital assets.

To support these controls, firms should immediately notify clients through secure, non-SMS channels whenever critical account changes occur. These alerts should be triggered automatically following high-risk events such as password changes, updates to banking details, or requests to register a new device.

Finally, intermediaries must maintain effective incident response procedures, including the ability to freeze compromised accounts immediately to prevent unauthorized transfers of funds or assets. In the event of a confirmed security breach or unauthorized access, firms are also required to report the incident to the SFC without delay, supporting both regulatory compliance and broader threat intelligence sharing.

Authentication ClassVulnerability to AiTM PhishingSFC Compliance StatusTechnical Operating Principle
SMS / Email OTPHigh (Susceptible to real-time reverse proxy interception)BANNED for login and binding Symmetric shared secrets transmitted over unencrypted communication channels.
App-Based TOTP (e.g., Google Authenticator)Medium-High (Can be mirrored and inputted via proxy)Restricted / DiscouragedTime-synced cryptographic tokens reliant on shared seed keys.
Device BindingNegligibleAPPROVEDUnique hardware signature linkage and possession verification.
Passkeys (FIDO2)ZeroMANDATED STRATEGYAsymmetric public/private key verification bound directly to the verified domain origin.

Global Supervisory and Operational Implications

The SFC's proactive approach could influence the direction of cybersecurity regulation well beyond Hong Kong. Financial regulators, including the CySEC in Cyprus, the Financial Conduct Authority (FCA) in the United Kingdom, and the Monetary Authority of Singapore (MAS), often monitor developments in other leading financial centres when shaping their own supervisory expectations. If Hong Kong's transition away from SMS-based OTPs proves successful, it could provide a practical model for other regulators seeking to reduce the growing number of retail account takeover attacks.

The move is also likely to accelerate the adoption of common authentication standards across the financial industry. Large international firms operating in multiple jurisdictions face increasing costs when maintaining different authentication systems for different markets.

As a result, many global financial institutions may choose to implement FIDO2/WebAuthn authentication across their core platforms rather than maintain separate regional solutions. While driven initially by compliance with Hong Kong's requirements, this approach could also accelerate the broader decline of SMS-based authentication in financial services worldwide.


Start exploring powerful compliance insights in seconds

Create your free account today to view the full article. No credit card required.